WCET 2007, Pisa, page 1 of 27 Tid rum WCET'2007 Analysing Switch-Case Tables by Partial Evaluation Niklas Holsti Tidorum Ltd
WCET 2007, Pisa, page 2 of 27 Tid rum From binary file to control-flow graph Binary memory image Start address Control- flow graph WCET analysis Problem: dynamic transfer of control, DTC for example jump via register ? ?
WCET 2007, Pisa, page 3 of 27 Tid rum Overview ● Analysing DTC from a switch-case statement ● When compiled into a switch table interpreted by a switch handler routine ● Partial evaluation (PE) of switch handler ● Example
WCET 2007, Pisa, page 4 of 27 Tid rum Switch tables and switch handlers ● Various forms of switch tables – depending on compiler, index type, dense/sparse,... ● Compiler generates: – switch table T – call or jump to switch handler (Table T, Index k) ● Switch handler – looks up Index in Table ● jumps to that case using DTC switch (k) { case 4:... case 8: case 9: case 11:... default:... } A constant table that maps index value to code address: 4 A: 8, 9, 11 B: others C: Switch-case statement Switch table
WCET 2007, Pisa, page 5 of 27 Tid rum One handler – many switches Code Foo T1 Code T2 Handler Bar DTC Cases in T2 Cases in T1 Call (T1, Ind1) Call (T2, Ind2) Switch Table Switch Table
WCET 2007, Pisa, page 6 of 27 Tid rum A real switch handler IAR compiler for Atmel AVR ● Same handler for many index types (8, 16, 32 bits) ● Complex table structure – entries of variable length DTC
WCET 2007, Pisa, page 7 of 27 Tid rum Partial Evaluation of switch handlers Table Index IndexAddr 4A 8,9,11B defaultC Addresses defined in the Table Switch handler for any Table and any Index Partially evaluate the switch handler with respect to the known switch table T for a given switch-case statement Table T Call DTC ABC Residual switch handler for table T and any Index Call Index else Index? DTC is resolved into static jumps
WCET 2007, Pisa, page 8 of 27 Tid rum Eureka ● The analysis “runs” the switch handler ● The switch handler itself decodes the switch table
WCET 2007, Pisa, page 9 of 27 Tid rum The example ● Here shown on a symbolic level – paper shows AVR machine code ● Partial Evaluation as implemented in Bound-T – on the fly while building flow-graph – data state: some variables bound to constants
WCET 2007, Pisa, page 10 of 27 Tid rum Simple 8-bit switch table & handler switch (k) { case 4:... case 8: case 9: case 11:... default:... } MaskMatchAddress SwHandler parameters: - pointer Tp to switch table - 8-bit Index (k) of switch-case (Index and Tp.Mask) = Tp.Match ? Jump to Tp.Address Advance Tp to next entry ≠ DTC = ?
WCET 2007, Pisa, page 11 of 27 Tid rum 0. Detect invocation of switch handler ● Start PE with initial data-state Tp T [0] ● Expand SwHandler “in-line” Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp Aha! Entering switch handler! Flow graph (1 node so far)
WCET 2007, Pisa, page 12 of 27 Tid rum 1. Add first step in SwHandler, with data state (Index and Tp.Mask) = Tp.Match ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp Tp T [0]
WCET 2007, Pisa, page 13 of 27 Tid rum 2. Partially evaluate wrt data state Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp T [0] Tp
WCET 2007, Pisa, page 14 of 27 Tid rum 3. Generate successors (PC, data state) & add Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Jump to Tp.Address = Advance Tp to next entry ≠ Tp T [0] Tp DTC
WCET 2007, Pisa, page 15 of 27 Tid rum 4a. Partially evaluate wrt data state Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Jump to = Advance Tp to next entry ≠ DTC resolved PE ends on this path CFG building continues (shown later) Tp T [0] Tp
WCET 2007, Pisa, page 16 of 27 Tid rum 4b. Partially evaluate wrt data state Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Jump to = Tp := addr (T[1]) ≠ Tp T [0] Tp New data state: Tp T [1]
WCET 2007, Pisa, page 17 of 27 Tid rum Generate successors: can we loop? Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp Jump to = Tp := addr (T[1]) ≠ Tp T [0] Cannot create loop because the data state is different New data state: Tp T [1]
WCET 2007, Pisa, page 18 of 27 Tid rum 5. Generate successors (PC, data state) & add Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp Jump to = Tp := addr (T[1]) ≠ Tp T [0] Tp T [1] (Index and Tp.Mask) = Tp.Match ? Loop expands (unrolls) itself
WCET 2007, Pisa, page 19 of 27 Tid rum 6. Partially evaluate wrt data state Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp Jump to = Tp := addr (T[1]) ≠ Tp T [0] Tp T [1] (Index and 254) = 8 ?
WCET 2007, Pisa, page 20 of 27 Tid rum 7. Generate successors (PC, data state) & add Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp Jump to = Tp := addr (T[1]) ≠ Tp T [0] Tp T [1] (Index and 254) = 8 ? Jump to Tp.Address = Tp T [1] Advance Tp to next entry ≠ Tp T [1] DTC
WCET 2007, Pisa, page 21 of 27 Tid rum 8. Partially evaluate wrt data state, etc. Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler MaskMatchAddress Tp Jump to = Tp := addr (T[1]) ≠ Tp T [0] Tp T [1] (Index and 254) = 8 ? Jump to = Tp := addr (T[2]) ≠ Tp T [1]... and so on... DTC resolved Tp T [1]
WCET 2007, Pisa, page 22 of 27 Tid rum n. Add successors for last table entry MaskMatchAddress Tp Tp := addr (T[3]) ≠ Tp T [2] Tp T [3] (Index and Tp.Mask) = Tp.Match ?
WCET 2007, Pisa, page 23 of 27 Tid rum n+1. Partially evaluate wrt data state MaskMatchAddress Tp Tp := addr (T[3]) ≠ Tp T [2] Tp T [3] 0 = 0 ?
WCET 2007, Pisa, page 24 of 27 Tid rum n+2. Generate & add feasible successors MaskMatchAddress Tp Tp := addr (T[3]) ≠ Tp T [2] Tp T [3] 0 = 0 ? Jump to Tp.Address = (true) Tp T [3] ≠ (false) DTC
WCET 2007, Pisa, page 25 of 27 Tid rum n+3. Partially evaluate wrt data state MaskMatchAddress Tp Tp := addr (T[3]) ≠ Tp T [2] Tp T [3] 0 = 0 ? Jump to Tp T [3] ● All paths end with resolved DTC ● Expansion of switch handler completed – for this switch-case statement DTC resolved
WCET 2007, Pisa, page 26 of 27 Tid rum Completed flow-graph Index = 4 ? Tp := addr (T[0]) Index := k invoke SwHandler Jump to = (Index and 254) = 8 ? Jump to = ≠ Index = 11 ? = ≠ Jump to ≠ residual SwHandler (T, *) Jump to ● Shows execution path to each case ● Shows conditions leading to each case
WCET 2007, Pisa, page 27 of 27 Tid rum Summary ● Traditional flow-graph construction: – enumerate only PC values ● Flow-graph construction with PE: – choose relevant data state components (... but how ?) – enumerate product domain (PC, data state) ● PE applied here to switch handlers – easy to choose the relevant data: ● the switch table and anything derived from it ● Other PE applications in WCET analysis?